Facebook tucks default privacy settings away where you have to go dig for them – not exactly what you’d consider a way to get informed consent, the Berlin Regional Court in Germany has decided. And what’s up with that real-name policy that doesn’t allow users to be anonymous?

Illegal, illegal, illegal: that’s what the court has decreed on those and five of Facebook’s terms of service.

According to a judgment (PDF; in German) handed down by the Berlin court in mid-January and publicly revealed on Monday, Facebook collects and uses personal data without providing enough information to users to constitute meaningful consent. The Guardian reports that the case against Facebook was brought by the federation of German consumer organizations (VZBV), which argued that Facebook force-opts users by default into features it shouldn’t.

According to Germany’s Federal Data Protection Act, companies can only collect and use personal data with the consent of those affected. How can users make informed consent if they don’t know what’s going on?

They can’t, the VZBV said:

In order for them to make informed choices, providers must provide clear and understandable information about the nature, extent and purpose of the use of the data.

The VZBV pointed out these shortcomings in Facebook’s privacy settings:

Location service for mobile phones is activated by default. This reveals locations of people who use chat.

Search engines get a link to the participants’ activity history by default, making it easy for anybody online to stumble across things like profiles and account photos.

In all, the VZBV complained about five of Facebook’s privacy presets. The Berlin judges agreed with the privacy group about all of them: the presets are “ineffective,” the VZBV said, and there’s no guarantee that a user would even take note of their existence.

The Berlin Regional Court also declared eight clauses in Facebook’s terms of service to be invalid, including terms that allow Facebook to transmit data to the US and use personal data such as usernames and profiles for commercial purposes.

The court also ruled Facebook’s authentic name policy illegal. That policy once required users to go by their “real names” on the platform, but after a plethora of stories of how people have been harmed by the real-name policy, Facebook revised it in 2015 to permit whatever names users go by in real life… as long as that name doesn’t include expletives; titles; special characters; words, phrases or characters from multiple languages; or anything offensive or suggestive.

That’s not good enough, said the Berlin court: The current name policy is illegal because it disallows anonymity.

Dünkel:

Providers of online services must also allow users to participate anonymously, for example [by] using a pseudonym.

Facebook told The Guardian that it plans to appeal the decision, but that it’s “working hard to ensure that our guidelines are clear and easy to understand, and that the services offered by Facebook are in full accordance with the law.”

Chief Operating Officer Sheryl Sandberg said last month that the plan was for Facebook to make it easier for users to manage their own data:

We’re rolling out a new privacy center globally that will put the core privacy settings for Facebook in one place and make it much easier for people to manage their data.

Sandberg said that the creation of this “privacy center” was prompted by the requirements of the GDPR: a regulation that requires any company that does business in the EU to take specific steps to more securely collect, store and use personal information. The aim of the GDPR is to give Europeans more control over their information and how companies use it.

Facebook’s actually been trying to give people more transparency and control for a while, Sandberg said at the time. Of course, there’s nothing like the prospect of mammoth fines to speed the plough. From The Guardian’s coverage of Sandberg’s remarks:

…companies found to be in breach of GDPR face a maximum penalty of 4% of global annual turnover or €20m (£17.77m), whichever is greater. In Facebook’s case, based on a total revenue of $27.6bn in 2016, the maximum possible fine would be $1.1bn.

Post navigation

About the author

Lisa has been writing about technology, careers, science and health since 1995. She rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash and joined the freelancer economy. Alongside Naked Security Lisa has written for CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output.

3 comments on “Facebook’s privacy settings are illegal, says court”

Not using Facebook is easy as it is truly pointless IMO. It is the computer equivalent of daytime TV soaps.

However, giving up Google is harder because Google gives back real value. It’s Android mobile OS is better value than the Apple choice, Google Search is really the best when looking for local results, and Chrome is the standard for browsers – every web site is tested to work on it, the Gmail is the best I have found for weeding out spam and leaving the real e-mails, etc.

I think regulation like this being attempted in Germany may be the only way to go if governments can somehow work for the citizens and not the corporations.

It seems like there are plenty of sites one can post anonymously, where personal attacks and improper behavior can occur without concern for ones actions. Also, it seems very difficult to post anything without someone (or a computer program) being able to figure out where you are/being able to track you. If you are so concerned about your anonimity, stay off social media. Or at the very least, be a part of one that has fewer restrictions.